This section discusses the steps to integrate DAST.
The script is delivered as part of NSX Advanced Load Balancer SDK, which is available on Controller in the DAST directory. The following are the steps to integrate DAST with WAF.
Run a scan against a web application not protected by WAF.
If you find any issues, the
avi-iwaf-vpatch.py
uses the output of the scan to generate WAF Policy rules.Enable WAF.
Scan again. The subsequent scans will not report issues for problems handled by WAF Policy.
The avi-iwaf-vpatch.py
generates NSX Advanced Load Balancer WAF Policy Positive Security rules. It creates a WAF Policy Positive Security group containing all the rules covering DAST scan issues. The avi-iwaf-vpatch.py
automatically creates Positive Security locations for each vulnerable URL reported by the scanner, and Positive Security rules for each supported issue.
The avi-iwaf-vpatch.py
does not generate rules to protect from all the potential issues found. The script will generate rules related to parameter security, for example, URL parameters, HTML form fields and XML or JSON attributes.